This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Group policy precedence question

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Trying to wrap my head around Group Policy, and have this question:

Lets assume there is an OU that has both computer and user objects in it. The following GPOs are linked to this OU:

GPO-computer: this GPO has both computer config and user config settings enabled. The User Configuration setting that has been enabled is Remove My Documents icon on the desktop

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Lets also assume in GPO-computer that the Computer Configuration setting User Group Policy loopback processing mode is not configured.

So, GPO-computer should apply to the computer objects in the OU, and GPO-user should apply to the user objects in the OU.

I assume then, that any user logging onto any of the computers targeted by GPO-computer will be affected by the user configured policy settings in GPO-computer, correct?

Therefore, there is a conflict; the users will receive policy from both GPO-computer and GPO-user; one policy will remove My Documents icon from the desktop, the other prevents this from happening.

Which user policy setting takes precedence?

Click to expand...

It's whatever policy has the higher precedence (you can change the precedence of a policy at the same ou), by default its the policy that was created first as it will be applied last, unless the newer policy has been enforced.

GPO-computer will apply the computer and user settings, as will GPO-user. Its because the computers and the users are in the same OU. If they conflict, then whatever has higher precedence will win.

Click to expand...

You could be right. It had slipped my mind that multiple GPOs applied to an object will appear in order of precedence, and that the order of the GPOs can be changed to suit. So if GPO-Computer appears higher up the list than GPO-User, it will be applied last and its settings will have precedence if there are any conflicts with other GPOs.

You could be right. It had slipped my mind that multiple GPOs applied to an object will appear in order of precedence, and that the order of the GPOs can be changed to suit. So if GPO-Computer appears higher up the list than GPO-User, it will be applied last and its settings will have precedence if there are any conflicts with other GPOs.

Click to expand...

I thought the question was if it was a single policy with a computer configuration and user configuration setting that conflicted rather than 2 different gpos?

edit: Just re-read your post and it is 2 different gpos, my mistake, i blame posting from my iphone.

You could be right. It had slipped my mind that multiple GPOs applied to an object will appear in order of precedence, and that the order of the GPOs can be changed to suit. So if GPO-Computer appears higher up the list than GPO-User, it will be applied last and its settings will have precedence if there are any conflicts with other GPOs.

Click to expand...

Err, the GPO that has computer settings configured is applied when the PC boots up and gets the Ctrl+Alt+Delete screen. Then if you log on with a user account that is in the OU *then* the user settings are applied.

Let’s also assume in GPO-computer that the Computer Configuration setting “User Group Policy loopback processing mode” is not configured.

So, GPO-computer should apply to the computer objects in the OU, and GPO-user should apply to the user objects in the OU.

I assume then, that any user logging onto any of the computers targeted by GPO-computer will be affected by the user configured policy settings in GPO-computer, correct?

Therefore, there is a conflict; the users will receive policy from both GPO-computer and GPO-user; one policy will remove My Documents icon from the desktop, the other prevents this from happening.

Which user policy setting takes precedence?

Click to expand...

Both GPOs will be read and processed by both accounts (unless security permissions or filtering were in play)

Generally when a domain computer boots it runs through applying all the computer policies at startup, it reads both user and computer settings but only generally applies computer settings (unless loopback mode is enabled)

The user account will do the same when it logs in, reads both accounts, what it will check is its order of processing for that OU, and apply the last instance of that setting (eg if 2 GPO's have the same setting one is listed as having an order number of 1, then that will run first, then one has an order number of 5, than that one with lorder of 1 should contain the setting that is used as it has higher prcedence)

OR You could use RSOP or the modelling tool in the GPMC to find out which would take precedence

Generally it is much better design to keep user and computer objects apart (for instance you can save logon processing time by disabling uneeded computer and user properties, and future management will be so much easier), but AD is flexible enough to cater for this layout.

CertForums.com is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco®, Cisco Systems®, CCDA™, CCNA™, CCDP™, CCNP™, CCIE™, CCSI™; the Cisco Systems logo and the CCIE logo are trademarks or registered trademarks of Cisco Systems, Inc. All other trademarks, including those of Microsoft, CompTIA, VMware, Juniper ISC(2), and CWNP are trademarks of their respective owners.